IN THE CLAIMS 

This listing of the claim will replace all prior versions and listings of claim in 
the present application. 
Listing of Claims 

1 . (currently amended) A security management system for controlling a 
security status of each of a plurality of managed systems constituting an information 
system in accordance with an information security policy representing a policy of a 
security measure, comprising: 

a plurality of management sections corresponding to at least one managed 
system and the information security policy, each management section being for 
controlling the security status of the managed system corresponding thereto so as to 
adjust the security status to the information security policy corresponding thereto; 

a database registering a correspondence of the information security policy, the 
managed system and each management section; 

a security content reception section for receiving a selection of a range of the 
information security policy and the managed system from a user; 

an extraction section for extracting from said database the management 
section registered so as to correspond to the information security policy and the 
managed system included in the range in which said security content reception 
section has received the selection; and 

a management control section for all owing obtaining from the managed 
system status information representing the security status of the managed system, 
comparing the status information obtained from the managed system to the 
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management section extracted by said extraction section to chang e and changing the 
security status of the managed system corresponding to the management section 
based on result of the comparison so as to ad j ust to th e i nform a t i on s e cur i ty po li cy 
corr e spond i ng to th e m a nag e m e nt s e ct i on . 

2. (currently amended)A security management system for auditing a 
security status of each of a plurality of managed systems constituting an information 
system, the security status concerning an information security policy representing a 
policy of a security measure, comprising: 

a plurality of audit sections corresponding to at least one managed system 
and at least one information security policy, each audit section being for auditing the 
security status concerning the corresponding information security policy of the 
corresponding managed system; 

a database registering a correspondence of the information security policy, the 
managed system and the audit section; 

a security content reception section for receiving a selection of a range of the 
information security policy and the managed system from the user; 

an extraction section for extracting from said database the audit section 
registered so as to correspond to the information security policy and the managed 
system included in the range in which said security content reception section has 
received the selection; and 

an audit control section for obtaining from the managed system status 
information representing the security status of the managed system, comparing the 
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status information obtained from the managed system to a ll ow i nq the audit section 
extracted by said extraction section and changing to aud i t the security status 
conc e rn i ng th e i nform a t i on s e cur i ty po li cy of the managed system corresponding to 
the audit section based on a result of the comparison . 

3. (currently amended)A security management system for controlling a 
security status of each of a plurality of managed systems constituting an information 
system in accordance with an information security policy representing a policy of a 
security measure, comprising: 

a plurality of management sections corresponding to at least one managed 
system and at least one information security policy, each management section being 
for controlling the security status of the corresponding managed system so as to 
adjust the security state to the corresponding information security policy; 

a plurality of audit sections corresponding to at least one managed system 
and at least one information security policy, each audit section being for auditing the 
security status concerning the corresponding information security policy of the 
corresponding managed system; 

a database registering a correspondence of the information security policy, the 
managed system, the management section and the audit section; 

a security content reception section for receiving a selection of a range of the 
information security policy and the managed system from a user; 

an extraction section for extracting from said database the management 
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section and the audit section, which are registered so as to correspond to the 
information security policy and the managed system included in the range in which 
said security content reception section has received the selection; 

a management control section for obtaining from the managed system status 
information representing the security status of the managed system, comparing the 
status information obtained from the managed system to a ll ow i ng the management 
section extracted by said extraction section and changing to ch a ng e the security 
status of the managed system corresponding to the management section based on a 
result of the comparison s o as to adjus t to th e i nformat i on securi ty p ol ic y 
corr e sponding to th e manag e m e nt s e ct i on ; and 

an audit control section for allowing the audit section extracted by said 
extraction section to audit the security status concerning the information security 
policy of the managed system corresponding to said audit section. 

4. (currently amended)A security management method for controlling a 
security status of each of a plurality of managed systems constituting an information 
system with an electronic computer in accordance with an information security policy 
representing a policy of a security measure, comprising the steps of: 

receiving a selection of a range of the information security policy and the 
managed system from a user; 

extracting a management program corresponding to an information security 
policy and a managed system, included in the range in which the selection has been 
received, among a plurality of management programs describing a processing for 



5 



controlling the security status of the corresponding managed system so as to adjust 
the security status to the corresponding information security policy, the plurality of 
management programs corresponding to at least one information security policy and 
at least one managed system, which are previously stored; and 

obtaining from the managed system status information representing the 
security status of the managed system, comparing the status information obtained 
from the managed system to status information as represented by the information 
security policy of the managed system, a l l ow i ng th e ele ctron i c comp ute r to e x e cut e 
th e e xtra cted man ag e m e nt program and to chang e changing the security status of 
the managed system corresponding to the management program by modifying the 
management program based on a result of the comparison, so that th e s e cur i ty 
st a tus th e r e of i s adjust e d to th e i nformation s e cur i ty po li cy corr e spond i ng to th e 
m a n a g e m e nt proqr a m and allowing the electronic computer to execute the modified 
management program . 

5. (currently amended)A security management method for auditing, with 
an electronic computer, a security status of each of a plurality of managed systems 
constituting an information system, the security status concerning an information 
security policy representing a policy of a security measure, comprising the steps of: 

receiving a range of a selection of the information security policy and the 
managed system from a user; 

extracting an audit program registered so as to correspond to the information 
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security policy and the managed system, which are included in the range in which 
the selection has been received, among a plurality of audit programs describing a 
processing for auditing the security status concerning the corresponding information 
security policy of the corresponding managed system, the plurality of audit programs 
corresponding to at least one information security policy and at least one managed 
system, which are previously stored; and 

obtaining from the managed system status information representing the 
security status of the managed system, comparing the status information obtained 
from the managed system to status information as represented by information 
security policy of the managed system, changing the al l ow i ng th e ele ctron i c 
comput e r to e x e cut e th e e xtracted aud i t program and to a ud i t th o security status of 
the managed system corresponding to the audit program by modifying the audit 
program , th e s e cur i ty st a tus conc e rn i ng th e i nform a tion s e cur i ty po li cy corr e spond i ng 
to th e aud i t program and allowing the electronic computer to execute the modified 
audit program . 

6. (currently amended)A storage medium storing a program for controlling 
a security status of each of a plurality of managed systems constituting an 
information system in accordance with an information security policy representing a 
policy of a security measure, 

wherein said program is read out and executed by an electronic computer, 

to construct, on said electronic computer, 
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a security content reception section for receiving a selection of a range of the 
information security policy and the managed system from a user; 

an extraction section for extracting a management program corresponding to 
an information security policy and a managed system, which are included in the 
range in which said security content reception section has received the selection, 
from a database storing a plurality of management programs describing a processing 
for controlling the security status of the corresponding managed system so as to 
adjust the security status of the managed system to the corresponding information 
security policy, the plurality of management programs corresponding at least one 
managed system and at least one information security policy; and 

a management control section for obtaining from the managed system status 
information representing the security status of the managed system, comparing the 
status information obtained from the managed system to status information as 
represented by the information security policy of the managed system, a l low i ng s ai d 
ele ctron i c comput e r to e x e cut e th e man a g e m e nt program e x e cut e d — by s a id 
e xtract i on soct i on and to chang e changing the security status of the managed system 
corresponding to the extracted management program by modifying the management 
program, so as to a djust th e s e curity status to th e i nform a t i on s e cur i ty po li cy 
corr e spond i ng to th e e xtract e d m a nag e m e nt program and allowing the electronic 
computer to execute the modified management program . 

7. (currently amended)A storage medium storing a program for auditing a 
security status concerning an information security policy representing a policy of a 
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security measure of a plurality of managed systems constituting an information 
system, 

wherein said program is read out and executed by an electronic computer, 
to construct, on said electronic computer, 

a security content reception section for receiving a selection of a range of the 
information security policy and the managed system from a user; 

an extraction section for extracting an audit program registered so as to 
correspond to an information security policy and a managed system, which are 
included in the range in which said security content reception section has received 
the selection, from a database storing a plurality of audit programs describing a 
processing for auditing the security status concerning the corresponding information 
security policy of the corresponding managed system, the plurality of audit programs 
corresponding to at least one managed system and at least one information security 
policy; and 

an audit control section for obtaining from the managed system status 
information representing the security status of the managed system, comparing the 
status information obtained from the managed system to status information as 
represented by the information security policy of the managed system, 
changing all ow i ng th e el ectron i c comput e r to e x e cut e th e a ud i t progr a m e xtract e d b y 
sa i d e xtract i on s e ct i on and to aud i t the security status concerning the information 
security policy corresponding to the audit program by modifying the audit program, 
and allowing the electronic computer to execute the modified audit program -of-tt^ 
m a nag e d syst e m corr e spondi n g to th e aud i t program . 
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Claims 8-13 (canceled). 



